Getting To The Root Of Security With Trusted Silicon

The increasingly distributed nature of computing and the rapid growth in the number of the small connected devices that make up the Internet of Things (IoT) are combining with trends like the rise of silicon-level vulnerabilities highlighted by Spectre, Meltdown, and more recent variants to create an expanding and fluid security landscape that’s difficult for enterprises to navigate.

Each intelligent, connected sensor, device or system represents a way for hackers to get into the corporate network and each exploit in hardware puts datacenter infrastructure – whether on-premises or in the cloud – at risk. With workloads and data moving from the core datacenter out to the edge or the cloud and back and applications coming in from multiple sources, traditional perimeter defenses by themselves no longer cut it, putting the onus on tech vendors and component makers to find ways to ensure that their products and datacenters are safe.

It’s no easy task. Intel and other chip companies such as AMD and the Arm collective responded last year when the Spectre and Meltdown vulnerabilities were discovered with fixes aimed at shutting down the problems, and Intel has baked features into its upcoming “Cascade Lake” chips designed to shut down the side channel vulnerabilities that gave rise to them. But in the months since the exploits were made public, more variants have popped up – the most recent example being the Foreshadow/L1TF vulnerability detected earlier this month – the challenges have been amplified.

Both Microsoft and Google in recent months have introduced hardware-based technologies designed to bring greater security and trust at the silicon level. In April, Microsoft unveiled Azure Sphere, a silicon-based platform designed to secure the billions of microcontroller-powered IoT devices that includes a new class of MCUs built with such manufacturing partners as MediaTek, a secure operating system and services to ensure the Azure Sphere devices remain secure.

Azure Sphere came a month after Google at its Cloud Next 2018 conference in March introduced Titan, a small chip aimed at creating a “silicon root of trust” to ensure that Google has as much control as possible over the hardware that gets put into its cloud datacenters, from the time the components are manufactured to when the systems and peripherals are up and running on through to when they’re taken offline. Google is in the processing of making Titan available as open source through its Silicon Transparency Working Group with partners lowRISC and ETHzurich.

Both companies were at this week’s Hot Chips 2018 conference in Silicon Valley to talk about not only the technologies but also to outline the motivations for developing them. For Doug Stiles, senior director of hardware engineering for silicon development at Microsoft, the drivers were the MCUs, which have been produced for decades and continue to power many IoT devices.

“They are used all over the place,” Stiles said. “They don’t require the massive processing of the chips you heard about today. As a matter of fact, in 2017, most of them weren’t even 32-bit devices. They could be manufactured at low cost in older, fully depreciated fabs. But what’s been happening in the last several years that those older, depreciated fabs are now putting out some pretty sophisticated processors with some pretty good overall performance, with a wide variety of productivity solutions as well as sizeable on-chip memory. In 2017, there were about 9 billion connected devices shipped and it’s estimated there will be 30 billion just a year-and-a-half from now. That’s a big attack surface. That’s a lot of devices that can be leveraged in nefarious ways. This is what led us to develop Azure Sphere. Azure Sphere is an end-to-end solution for securing those MCU-powered devices.”

Stiles noted the Mirai botnet that infected vulnerable Linux systems, creating a massive botnet made up of more than 100,000 networked devices – including such IoT devices as home routers and video surveillance cameras – to propagate distributed denial-of-services (DDoS) attacks that brought down service provider DYN and other organizations around the world. It showed the havoc threat actors can wreak if they get control of IoT devices, putting people and businesses at risk.

Microsoft is working with chip makers to develop Azure Sphere processors – the first one, below, is the MT3620 developed by MediaTek – that can run the Azure Sphere OS. The 40 nanometer chip is a system-in-package with 16 MB or 32 MB of flash and a 3.3 volt power supply. It includes five processors for applications, I/O peripherals and processing, WiFi and Microsoft’s Pluton Security subsystem. All the units on the chip are protected by hardware firewalls.

The Pluton subsystem is a 200 MHz M4 processor, ROM for initialization and boot code, 128 KB TCM for security runtime and a 4KB e-fuse for cryptographic keys, security state and rollback state. Keys are generated randomly, are unique to the devices and are stored in the e-fuses, which makes them inaccessible to software, cutting off an avenue for hackers. Other features include the security processor being the first to boot – with the initial code in ROM – software is signed, certificates are used rather than passwords. The hardware can detect failures or anomalies and report them back to the cloud.

“It’s ROM because we wanted to know what it did and trust it, that was the only thing that ran when it started up,” Stiles said. “One of the main features of that ROM code is that it does a certificate validation of the security code that will subsequently load onto the M4 to run its security. Software won’t even run if it hasn’t been validated.”

He said the Azure Sphere OS will be open sourced and Microsoft will make the Pluton Security core available to chip makers royalty-free.

For Google, Titan revolves around trust, transparency and control, said Scott Johnson, hardware engineer at the hyperscaler.

“A lot of questions are being asked about security in the datacenter,” Johnson said. “We could ask ourselves a lot of questions. For instance, how do we know it’s our equipment that’s in the datacenter? You’d think that is an obvious answer, but datacenters are huge, they’re distributed all throughout the world. We wanted ways to know that it’s our equipment that’s in there and it’s not being spoofed, so our solution was to tag and verify. We call this ‘cryptographic attestation.’ We came to the reality that we needed some sort of silicon root of trust, some way to tag to ensure that all these are ours. Our saying it, ‘If you want a chain you can trust, you have to control the whole chain,’ and I don’t think we’re the only company that’s come that conclusion.”

What the company needed was a silicon root of trust, he said. Google needed to ensure that every datacenter element was securely identified and, similar to Microsoft, that the first instruction that is executed by the system is understood, cryptographically signed and verified. After that, the company wanted to be able to monitor the elements as they run in the datacenter and that it could trust the implementation. Those requirements called for on-chip verified boot, cryptographic identification and secure manufacturing, boot firmware being signature checked and monitored, physical security on the silicon and transparent development.

Titan is a microcontroller with an embedded 32-bit processor, with all the memory execution happening in the chip, not outside. It includes one-time programmable fuses and two versions of flash, with security peripherals like a key manager, random name generator and timers.

When the CPU requests the first boot instruction, signed boot code is sent from the boot FW flash to Titan, which authenticates the firmware and releases the system reset. It also is continuously monitoring the environment for illegal activity and is available for cryptographic attestation and logging.

“We want to completely own as much as we could,” Johnson said. “Transparency is one of the words we’re really interested in here. Understanding that the implementation of the silicon gave us the beginning of the boot, understanding everything that needs to go into the datacenter.”

Up next is open sourcing key parts of Titan, he said. Many of the elements of the microcontroller can be open, though some – including the flash, ROM and fuses – need input from the component vendors.

Sign up to our Newsletter

Featuring highlights, analysis, and stories from the week directly from us to your inbox with nothing in between.
Subscribe now

1 Comment

  1. If and when these secure environments are compromised, will the solution be to simply buy new hardware? It might be feasible to swap a TPM-style module in a PC but that would be unworkable for IoT. Google and Microsoft’s open source approach is refreshing compared to Intel’s opaque AMT/ME/TXE ecosystem but I don’t think this is the solution to IoT security woes.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.